CROSS-BORDER PRIVACY RULES SYSTEM JOINT OVERSIGHT PANEL. RECOMMENDATON REPORT ON APEC RECOGNITION OF TRUSTe

Transcription

1 CROSS-BORDER PRIVACY RULES SYSTEM JOINT OVERSIGHT PANEL RECOMMENDATON REPORT ON APEC RECOGNITION OF TRUSTe Submitted To: Ms. Lourdes Yaptinchay Chair, APEC Electronic Commerce Steering Group 19 February 2013, as amended 18 June 2013

2 TABLE OF CONTENTS Executive Summary...1 Scope of Consultation Process...1 Recommendation of the Joint Oversight Panel...2 Request for Consensus Determination...3 Enforceability....4 Recognition Criteria...6 Conflicts of Interest (Recognition Criteria 1-3)... 6 Program Requirements (Recognition Criterion 4)...8 Certification Process (Recognition Criterion 5)... 8 On-going Monitoring and Compliance Review Processes (Recognition Criteria 6, 7)... 9 Re-Certification and Annual Attestation (Recognition Criterion 8)...10 Dispute Resolution Process (Recognition Criteria 9, 10) Mechanism for Enforcing Program Requirements (Recognition Criteria 11-15) Case Notes and Statistics Signature

3 EXECUTIVE SUMMARY In July 2012, the United States formally commenced participation in the Cross Border Privacy Rules (herein CBPR ) system. Pursuant to Paragraph 5 of the Protocols of the Joint Oversight Panel, the United States was then eligible to accept applications for recognition by one or more Accountability Agents operating within its jurisdiction. At that time, the U.S. Department of Commerce invited those organizations interested in serving as an Accountability Agent in the United States to notify the Department of their intent to seek APEC recognition and submit a completed application for initial review to the Office of Technology and Electronic Commerce. On September 21, 2012, the Office of Technology and Electronic Commerce received an application from TRUSTe for APEC recognition. After having reviewed the completeness of this application, the U.S. Department of Commerce forwarded this submission to the Joint Oversight Panel (herein JOP ) on October 3, SCOPE OF CONSULTATION PROCESS Pursuant to Paragraph 6.2 of the Charter of the Joint Oversight Panel, members of the JOP 1 began a consultative process with representatives from TRUSTe and the United States Federal Trade Commission (a participant in the Cross Border Privacy Enforcement Arrangement) to: Confirm the enforceability of an organization s CBPR obligations once certified as CBPR compliant by TRUSTe; Confirm TRUSTe s location and the relevant Enforcement Authority; Confirm that TRUSTe meets the recognition criteria as identified in the Accountability Agent Application for Recognition; Confirm TRUSTe makes use of program requirements that meet the baseline established in the CBPR system; and Confirm TRUSTe has provided the necessary signature and contact information. The following Recommendation Report was drafted by members of the JOP pursuant to paragraphs of the Protocols of the APEC Cross-Border Privacy Rules System Joint Oversight Panel. 1 For purposes of this consultative process JOP membership consist of: Josh Harris, United States Department of Commerce; Elizabeth Argüello Maya, Ministry of Economy, Mexico; and Susan Lu, Bureau of Foreign Trade, Chinese Taipei 1

4 RECOMMENDATION OF THE JOINT OVERSIGHT PANEL Having verified the United States is a participant in the APEC Cross Border Privacy Rules System and has demonstrated the enforceability of the CBPR program requirements pursuant to the information provided in Annex B of the United States Notice of Intent to Participate; Having verified TRUSTe is located in the United States and is subject to the enforcement authority described in Annex A of the United States Notice of Intent to Participate; Having verified with the Administrators of the APEC Cross Border Privacy Enforcement Arrangement (CPEA) that the United States Federal Trade Commission, a Privacy Enforcement Authority in the United States, is a participant in the APEC CPEA; Having determined, in the opinion of the members of the Joint Oversight Panel, that TRUSTe has policies in place that meet the established recognition criteria and makes use of program requirements that meet those established in the CBPR system, and; Having verified TRUSTe has provided the required signature and contact information; The JOP recommends APEC member Economies consider the conditions established in 6.2 (ii) of the Charter of the Joint Oversight Panel to have been met by TRUSTe and to grant TRUSTe s request for APEC recognition to certify organizations within the United States and under the jurisdiction of the United States Federal Trade Commission as compliant with the CBPR system pursuant to the established guidelines governing the operation of the CBPR system. Signed, Josh Harris Chair, Joint Oversight Panel United States Department of Commerce Elizabeth Argüello Maya Co-Chair, Joint Oversight Panel Ministry of Economy, Mexico Susan Lu Co-Chair, Joint Oversight Panel Bureau of Foreign Trade, Chinese Taipei 19 February

5 REQUEST FOR CONSENSUS DETERMINATION APEC member Economies are asked to make a determination as to TRUSTe s request for recognition, taking into account the JOP s recommendation. Any APEC member Economy has the right to reject the request of an applicant Accountability Agent for recognition for failure to meet any of the recognition criteria required in the APEC Accountability Agent Recognition Application. When making this determination, any APEC member Economy may request additional information or clarification from TRUSTe or the JOP. If no objection is received within the deadline for consensus determination as established by the ECSG Chair, the request will be considered to be approved by the ECSG. Should member Economies determine that TRUSTe has met the necessary criteria, APEC recognition will be limited to one year from the date of recognition, one month prior to which, TRUSTe may re-apply for APEC recognition if it so wishes, following the same process described herein. 3

6 I. ENFORCEABILITY Is the Applicant subject to the jurisdiction of the relevant enforcement authority in a CBPR participating Economy? Recommendation The JOP is satisfied that TRUSTe is subject to the jurisdiction of the United States Federal Trade Commission (FTC), a participant in the Cross Border Privacy Enforcement Arrangement (CPEA). Discussion In its Notice of Intent to Participate 2, the United States described its enforcement authority as follows: To become a recognized APEC Accountability agent, an applicant must complete and sign the Accountability Agent APEC Recognition Application By publicly posting its Recognition Application, a recognized APEC Accountability Agent further represents that the answers contained in the document are true. In addition, any organization that publicly displays a seal, trustmark or other symbol indicating its participation in the CBPR System, or causes its name to appear on a list of recognized APEC Accountability Agents, is making an enforceable representation that it complies with the requirements applicable to a recognized APEC Accountability Agent. If an APEC-recognized Accountability Agent subject to the jurisdiction of the Federal Trade Commission (FTC) fails to comply with any of these requirements, its representations of compliance may constitute unfair or deceptive acts or practices in violation of Section 5 of the FTC Act, 15 U.S.C. 45. The FTC has broad authority to take action against unfair and deceptive acts and practices. Furthermore, if an APEC-recognized Accountability Agent authorizes the use of its certification mark, 15 U.S.C. 1127, to convey compliance with the CBPR program requirements, under Section 14(5) of the Lanham Act, 15 U.S.C. 1064(5), the U.S. Patent and Trademark Office may cancel the certification mark if the Accountability Agent (a) does not control, or is not able legitimately to exercise control over, the use of such mark, including by failing to monitor the activities of those who use the mark, (b) engages in the production or marketing of any goods or services to which the certification mark is applied, (c) permits the use of the certification mark for purposes other than to certify, or (d) discriminately refuses to certify or to continue to certify the goods or services of any person who maintains the standards or conditions which such mark certifies. The JOP has confirmed that TRUSTe is subject to the regulatory oversight and enforcement authority of the United States Federal Trade Commission (herein FTC ) since it is a Delaware- 2 US Notice of Intent to Participate available at Investment/~/media/AC455B99C BC8B E.ashx 4

7 based for profit entity 3. The JOP has further confirmed that the FTC is a participant in the Cross Border Privacy Enforcement Arrangement (herein CPEA ) 4 and that the United States is a recognized participant in the APEC CBPR System 5. TRUSTe agrees that should it receive APEC recognition, it will publicly indicate its participation in the CBPR System including allowing its name to appear on a list of recognized APEC Accountability Agents. TRUSTe agrees to post all CBPR-certified companies online (to be made available at as well as the applicable CBPR program requirements. The JOP has verified that TRUSTe has completed and signed the Accountability Agent APEC Recognition Application. [NOTE: As part of the consultation process, Member Economies requested confirmation that TRUSTe may only provide CBPR certification for those organizations under the jurisdiction of the FTC. TRUSTe understands it may only certify organizations under FTC jurisdiction as CBPR compliant and agrees to this limitation.] 3 Registered as True Ultimate Standards Everywhere, file number , at accessed on November 28, see Group/Cross-border-Privacy-Enforcement-Arrangement.aspx 5 JOP Findings Report available at Investment/~/media/BBDCED12534F4EA48F3542D03AFD56B9.ashx; 5

8 II. RECOGNITION CRITERIA The Accountability Agent Application for Recognition 6 requires applicants to describe how each of the 15 Accountability Agent Recognition Criteria have been met using the Accountability Agent Recognition Criteria Checklist. Following is an overview of each listed requirement and recommendation of the sufficiency of each based on the information submitted to the JOP by TRUSTe. Conflicts of Interest (Recognition Criteria 1-3) Applicant Accountability Agent should describe how requirements 1(a) and (b) in Annex A of the Accountability Agent Application for APEC Recognition have been met and submit all applicable written policies and documentation. Applicant Accountability Agent should submit an overview of the internal structural and procedural safeguards to address any of the potential or actual conflicts of interest identified in 2(b) of Annex A of the Accountability Agent Application for APEC Recognition. Applicant Accountability Agent should describe the disclosure/withdrawal mechanisms to be used in the event of any actual conflict of interest identified. Recommendation: The JOP is satisfied that TRUSTe meets Recognition Criteria 1-3. Discussion Obligation to Impartially Administer Certification Any entity maintaining a registered trademark in the United States is required by law to apply certification standards in an impartial manner. The JOP has confirmed that TRUSTe maintains a registered trademark in the United States 7 and is therefore required to apply its certification standards in an impartial manner. Title 15, Chapter 22, Subchapter I, 1064 of the United States Code 8 permits the Federal Trade Commission to request that the United States Patent and Trademark Office cancel this trademark on the grounds that the holder of the mark discriminately refuses to certify or to continue to certify the goods or services of any person who maintains the standards or conditions which such mark certifies. (See U.S. Notice of Intent to Participate, Annex A, [I]f an APEC-recognized Accountability Agent authorizes the use of its certification mark, 15 U.S.C. 1127, to convey compliance with the CBPR program requirements, under Section 14(5) of the Lanham Act, 15 U.S.C. 1064(5), the U.S. Patent and Trademark Office may cancel the certification mark if the Accountability Agent (a) does not control, or is not able legitimately to exercise control over, the use of such mark, including by failing to monitor the activities of those who use the mark, (b) engages in the production or marketing of any goods or services to which the certification mark is applied, (c) permits the use of the certification mark for purposes other than to certify, or (d) discriminately refuses to certify 6 Available at Investment/~/media/Files/Groups/ECSG/CBPR/CBPR-AccountabilityAgentApplication.ashx 7 See USC 1064, available at 6

9 or to continue to certify the goods or services of any person who maintains the standards or conditions which such mark certifies. ) Obligation on Behalf of Employees and Officers to Avoid Conflicts of Interest Under the California Labor Code 9, all employees owe a duty of loyalty to their employer (see California Labor Code , "[a]n employee who has any business to transact on his own account, similar to that entrusted to him by his employer, shall always give the preference to the business of the employer.) As such, no employee of TRUSTe can be employed by any other entity, whether or not that entity is a licensee of TRUSTe. This duty is incorporated into TRUSTe s corporate policy prohibiting any actual conflicts of interest in the certification of TRUSTe Licensees and applies to all TRUSTe employees (see Internal Conflicts of Interest Policy, below). In addition, Article 9 of TRUSTe s Articles of Incorporation imposes penalties on any member of the Board of Directors who violates their duty of loyalty to TRUSTe ( A director of this corporation shall not be personally liable to this corporation or its stockholders for monetary damages for breach of fiduciary duty as a director, except for liability (i) for any breach of the director's duty of loyalty to this corporation or its stockholders, (ii) for acts or omissions not in good faith or that involve intentional misconduct or a knowing violation of law, (iii) under Section 174 of the General Corporation Law 11, or (iv) for any transaction from which the director derived any improper personal benefit ). Violation of this duty of loyalty is prohibited under California law 12. Internal Conflict of Interest Policy Sales of TRUSTe certification services are done by TRUSTe customer service representatives. TRUSTe s corporate conflict of interest policy requires these sales representatives operate under a separate management structure from TRUSTe s Customer Service Managers, which performs all initial review and certification functions for TRUSTe. In addition, TRUSTe s Quality Assurance team must provide a second, independent assessment anytime a previously certified company purchases additional services through a TRUSTe customer service representative. 13 TRUSTe has stipulated that it does not engage with its clients to perform consulting services outside of the functions described in paragraphs 5-14 of the Accountability Agent Recognition Criteria. Where TRUSTe does consult with regard to privacy practices not specifically addressed by a certification program, TRUSTe has stated that such work is executed by a member of the Legal department staff, as opposed to Operations staff, pursuant to the terms of TRUSTe s 9 TRUSTe s certification offices in the United States are located at 835 Market Street #800, San Francisco, CA All employees in this location are subject to California Labor Code. 10 Available at 11 Available at 12 See 13 TRUSTe has provided the JOP with business proprietary documentation outlining the separation of personnel handling privacy certification functions from personnel handling sales and consulting functions as well as internal policies on the prohibition of conflicts of interest. Pursuant to the terms of the JOP Charter, this information is not included in this report, since this report is to be made publicly available. Should an Economy have further questions on this documentation, please contact the JOP. 7

10 Service Delivery Conflicts of Interest Policy. TRUSTe agrees to notify the JOP of the existence of such engagements along with an explanation of the safeguards in place to ensure TRUSTe remains free of actual or potential conflicts of interest arising from the engagement. TRUSTe commits to withdraw from particular engagements where appropriate (see paragraph 1(b)(i) of the Accountability Agent Recognition Criteria identifying conditions requiring withdrawal) and to notify APEC member Economies, through the JOP, of such withdrawal. TRUSTe further agrees to notify APEC member Economies, through the JOP, of any activities or business ventures identified in subsection 1(b) of the Accountability Agent Recognition Criteria that might on their face have been considered a conflict of interest but which did not result in withdrawal. This notification will include a description of the reasons for non-withdrawal and the measures TRUSTe took to avoid or cure any potential prejudicial results stemming from the actual or potential conflict of interest. [NOTE: As part of the consultation process, Member Economies requested further clarification as to the separation of TRUSTe s consulting and certification services. Recognition Criterion 2(d) permits an Accountability Agent to perform consulting or technical services for an Applicant organization or Participant organization other than services relating to their certification and on-going participation in the CBPR System and requires the Accountability Agent to disclose to the Joint Oversight Panel the existence of the engagement; and an explanation of the safeguards in place to ensure that the Accountability Agent remains free of actual or potential conflicts of interest arising from the engagement. However, TRUSTe does not engage with Participants it certifies to perform consulting services outside of those functions described in paragraphs 5-14 of the Accountability Agent Recognition Criteria. Where TRUSTe does perform consultations with a non-certified company, this work is executed by a member of the Legal department staff, as opposed to Operations staff. TRUSTe has informed the JOP that it engages in less than 20 outside consulting engagements per year.] Program Requirements (Recognition Criterion 4) Applicant Accountability Agent should indicate whether it intends to use the relevant template documentation developed by APEC or make use of Annex C of the Accountability Agent Application for APEC Recognition to map its existing intake procedures program requirements. Recommendation: The JOP is satisfied that TRUSTe meets Recognition Criterion 4. Discussion In consultation with the JOP, TRUSTe has mapped its existing intake procedures (available at to the established CBPR program requirements. (see Annex C) [NOTE: As part of the consultation process, Member Economies requested confirmation that TRUSTe would post its CBPR program requirements online. TRUSTe intends to offer CBPR certification as a unique 8

11 seal and has confirmed that it will post the CBPR program requirements separately from its Website Privacy Program Requirements. For purposes of this unique seal, TRUSTe will not distinguish between online and offline collected data in its program requirements and will make clear in its posted CBPR program requirements that its CBPR certification extends to any medium through which a company seeking CBPR certification collects personal data. In addition TRUSTe will also post this signed Recommendation Report. TRUSTe will post all CBPR-certified companies online as well as the applicable CBPR program requirements on its website.] Certification Process (Recognition Criterion 5) Applicant Accountability Agent should submit a description of how the requirements as identified in 5 (a) (d) of Annex A of the Accountability Agent Application for APEC Recognition have been met. Recommendation: The JOP is satisfied that TRUSTe meets Recognition Criterion 5. Discussion TRUSTe has documented that it has in place a certification process to review an applicant organization s policies and practices to ensure compliance with the CBPR system requirements (as identified in Recognition Criterion 4, above, discussed in the Appendix) and to verify that organization s compliance with these requirements. In its application, TRUSTe described the following certification process: 1) TRUSTe will perform an initial assessment 14 of an applicant s compliance; 2) TRUSTe then provides a comprehensive report to the applicant outlining findings regarding compliance with TRUSTe s Privacy Certification Program Requirements; 3) TRUSTe then verifies that any required changes as outlined in the findings report have been properly implemented; and 4) Upon successful conclusion of the above-listed steps, TRUSTe will certify that the applicant is in compliance with their program requirements. TRUSTe will post all CBPR-certified companies online (to be made available at as well as the applicable CBPR program requirements. On-going Monitoring and Compliance Review Processes (Recognition Criteria 6, 7) Applicant Accountability Agent should submit a description of the written procedures to ensure the integrity of the certification process and to monitor the participant s 14 In its application, TRUSTe described the combination of the methodologies to conduct this review, including manual evaluation of the client s practices, the applicant s attestations and interviews, and technological monitoring. TRUSTe has indicated that the extent to which it makes use of one methodology over another is dependent on an applicant s risk profile as determined by how the applicant collects, uses and shares personal data and the applicant s third party, data-sharing relationships. 9

12 compliance with the program requirements described in 5 (a)-(d) in the Accountability Agent Application for APEC Recognition. Applicant Accountability Agent should describe the review process to be used in the event of a suspected breach of the program requirements described in 5(a)-(d) in the Accountability Agent Application for APEC Recognition. Recommendation: The JOP is satisfied that TRUSTe meets Recognition Criteria 6, 7. Discussion TRUSTe has documented that it has in place written procedures to ensure the integrity of the certification process described above and to monitor a participant s compliance with the program requirements as identified in Recognition Criterion 4, above, discussed in the Appendix. In its application, TRUSTe has described the four mechanisms it uses to ensure that compliance with established program requirements is consistently and continually maintained. These mechanisms include: 1) Web crawling: Proprietary TRUSTe technology verifies the existence of key website elements (e.g. a privacy policy at the point of PII collection), and website processes (e.g. the transmission of credit cards and other sensitive information over an encrypted connection). TRUSTe s web crawler also performs intensive website analysis for data collection and ad targeting processes, and in conjunction with other techniques serves as TRUSTe s technological accountability platform for monitoring clients. 2) seeding: A process by which compliance is monitored using unique addresses that do not reference TRUSTe, to check for sent by an unauthorized party, or after an unsubscribe request has been processed. 3) Traffic analysis: A network packet monitoring process primarily used to verify compliance for TRUSTe s mobile privacy and Trusted Download certifications. 4) Dispute resolution process: see Recognition Criteria 9-10, below, for further discussion. TRUSTe has indicated that it may initiate an internal compliance investigation based on results of the technological monitoring, described above, or on information contained in a consumer complaint, news or press reports, regulator inquiry, or reports from other credible sources. Where non-compliance with any program requirement is found, TRUSTe has indicated it will notify the participant of non-compliance and outline necessary corrections to be made within a stipulated timeframe. In its application, TRUSTe described the three possible outcomes of this process as follows: 1) An agreement between TRUSTe and the Participant over the privacy complaint resulting in Participant resolution that addresses the consumer concern or request. TRUSTe provides a reasonable timeframe to complete the required changes based on the risk and level of non-compliance. 10

13 2) A disagreement triggering a notice of formal enforcement, resulting in the Participant s suspension or notice of intent to terminate for cause if the matter is not cured. 3) A failure to implement the required cure resulting in the Participant s termination from TRUSTe s program and, in extreme cases, publication and/or referral to an appropriate authority. Additional verification activities, including third-party onsite audits, may be warranted in certain circumstances both during certification and compliance. 15 Re-Certification and Annual Attestation (Recognition Criterion 8) Applicant Accountability Agent should describe their re-certification and review process as identified in 8 (a)-(d) in the Accountability Agent Application for APEC Recognition. Recommendation: The JOP is satisfied that TRUSTe meets Recognition Criterion 8. Discussion The JOP has confirmed that TRUSTe requires an annual re-certification at which time TRUSTe investigates whether the Participant is meeting and/or exceeding TRUSTe s Program Requirements. In addition, if the Participant notifies TRUSTe of a change or TRUSTe detects a change outside the annual re-certification cycle, the change will be verified by TRUSTe immediately. Dispute Resolution Process (Recognition Criteria 9, 10) Applicant Accountability Agent should describe the mechanism to receive and investigate complaints and describe the mechanism for cooperation with other APEC recognized Accountability Agents that may be used when appropriate. Applicant Accountability Agent should describe how the dispute resolution process meets the requirements identified in 10 (a) (h) of Annex A, whether supplied directly by itself or by a third party under contract (and identify the third party supplier of such services if applicable and how it meets the conflict of interest requirements identified in sections 1-3 of Annex A) as well as its process to submit the required information in Annexes D and E. Recommendation: The JOP is satisfied that TRUSTe meets Recognition Criteria 9, 10. Discussion The JOP has confirmed that TRUSTe has an existing in-house customer dispute resolution program to receive and investigate complaints about participants and to resolve disputes between complainants and participants. Following is an overview of TRUSTe s dispute resolution process as provided in its application for recognition: 15 see TRUSTe program requirements, Section III.B.5(a)(3)(b), available at 11

14 1) Receiving a Complaint: The TRUSTe Consumer Dispute Resolution process begins with a consumer complaint filed against a TRUSTe program Participant either with the company, or with TRUSTe. After TRUSTe receives a complaint, an investigation is initiated. [NOTE: A TRUSTe investigation may also be initiated after a TRUSTe scan, a media report, regulator inquiry or information obtained through other credible sources]. TRUSTe then reviews the complaint to determine if the complaint is relevant and falls under the scope of the Program Requirements. TRUSTe estimates this process generally takes 1-2 business days, but could take up to 10 business days. 2) Responding to a Complaint: The consumer receives TRUSTe s initial response within 10 business days, as specified in their published time frame. 16 TRUSTe s system notifies the consumer of the response by the Participant. The consumer and the Participant may correspond directly, with TRUSTe copied, such as in the event that the Participant asks the consumer for further information. Both the consumer and Participant are copied when TRUSTe sends its determination. 3) Investigating a Complaint: The nature and duration of the investigation needed can vary widely depending on the nature of the issue. TRUSTe quickly checks all issues that can be immediately verified. TRUSTe s system notifies the consumer of the response by the Participant. Consumer and Participant may correspond directly, with TRUSTe copied, such as in the event that the Participant asks the consumer for further information. Consumer and Participant are copied when TRUSTe sends its determination. 4) Resolving a Complaint: After the complaint has been investigated, the Participant ordinarily has 10 business days to provide a written response for the complainant. For more urgent issues, such as security vulnerabilities, TRUSTe escalates to the Participant via phone as well and generally expect responses much sooner, especially if we are able to verify the problem. 5) Written Notice of Complaint Resolution: Once the complaint is resolved, TRUSTe will send an notice to both the complainant and the Participant notifying them of closure of the complaint. 6) Process for Obtaining Consent: TRUSTe s Feedback and Resolution form asks the complainant to provide consent before TRUSTe shares their personal information with the program Participant the complainant is filing a dispute about. The full online submission process for submitting feedback and requesting assistance with privacyrelated disputes can be found at All personal information collected during the request for assistance is collected in accordance with TRUSTe s Privacy Policy, available at Mechanism for Enforcing Program Requirements (Recognition Criteria 11-15) Applicant Accountability Agent should provide an explanation of its authority to enforce its program requirements against participants. Applicant Accountability Agent should describe the policies and procedures for notifying a participant of non-compliance with Applicant s program requirements and provide a 16 The published timeframe can be found on TRUSTe s Feedback and Resolution Form at 12

15 description of the processes in place to ensure the participant remedy the noncompliance. Applicant Accountability Agent should describe the policies and procedures to impose any of the penalties identified in 13 (a) (e) of Annex A. Applicant Accountability Agent should describe its policies and procedures for referring matters to the appropriate public authority or enforcement agency for review and possible law enforcement action. [NOTE: immediate notification of violations may be appropriate in some instances]. Applicant Accountability Agent should describe its policies and procedures to respond to requests from enforcement entities in APEC Economies where possible. Recommendation: The JOP is satisfied that TRUSTe meets Recognition Criteria Discussion The JOP has confirmed that TRUSTe has a mechanism in place to enforce its program requirements, has established procedures to remedy non-compliance, impose penalties and notify public authorities, where appropriate. Following is an overview of these procedures as provided in TRUSTe s application for recognition: Authority to Enforce Program Requirements: TRUSTe has the authority to enforce its program requirements against Participants by contract through a Master Services Agreement (MSA) that must be signed by all clients prior to engagement (see MSA, section 3(a): Participant s Adherence to the Program: Participant s Obligation to Comply. Participant shall fully comply with the Applicable Program Requirements for each Program Amendment. ) 17 Process of Notifying Participant of Non-Compliance and Remedy: As discussed in Recognition Criterion 7, above, where non-compliance with any program requirement is found, TRUSTe has indicated it will notify the Participant of non-compliance and outline necessary corrections to be made within a stipulated timeframe. If the Participant fails to come back into compliance with the program requirements, TRUSTe will take steps, as outlined below, to either temporarily remove the seal from the Participant s website or terminate the Participant s participation in the program. Remedy of Non-Compliance within a Specified Timeframe: The JOP has confirmed that TRUSTe has a process in place to place to suspend a participant if it does not remedy non-compliance within a specific time period. This process is described in TRUSTe s Privacy Certification Program Requirements, section III.5.a (1)-(5), excerpted below 18 : 17 TRUSTe has provided the JOP with a copy of this documentation, which it has deemed business proprietary. Pursuant to the terms of the JOP Charter, this information is not included in this report, since this report is to be made publicly available. Should an Economy have further questions on this documentation, please contact the JOP. 18 Available at 13

16 5. Suspension Status a) In the event TRUSTe reasonably believes that Participant has materially violated these Program Requirements, Participant may be placed on suspension. 1) Notice will be provided with a mutually agreed upon description of the violation and any remedial actions that TRUSTe will require Participant to take during the Suspension Period ("Suspension Obligations"). 2) Participant will be considered to be on Suspension immediately upon receiving notice from TRUSTe. Suspension shall last until such time as the Participant has corrected the material breach or Program Requirements violation to TRUSTe's satisfaction, but not for a period of greater than six (6) months ("Suspension Period") unless mutually agreed by the Parties. 3) Suspension Obligations may include, but are not limited to: a) Compliance with additional Program Requirements; b) Cooperation with heightened compliance monitoring by TRUSTe; and c) Payment to TRUSTe of mutually agreed additional amounts as compensation for TRUSTe's additional compliance monitoring. d) Participant shall comply with all Suspension Obligations. 4) During the Suspension Period, Participant's status may be indicated via a TRUSTe Validation webpage or TRUSTe may require Participant to cease using the TRUSTe trustmarks. 5) At the end of the Suspension Period, TRUSTe will, in its discretion, either: a) Determine that Participant has complied with Participant's Suspension Obligations, thereby satisfying TRUSTe's concerns; b) Extend the Suspension Period by mutual agreement with the Participant; or c) Determine that Participant has failed to comply with Participant's Suspension Obligations and immediately terminate Participant for cause. In addition, if a client does not cure an issue and is terminated, TRUSTe has indicated it will evaluate factors such as whether the violation was egregious and intentional, or whether impact was de minimis, in determining whether to publicize the non-compliance. TRUSTe does not have authority by contract to impose monetary penalties. Referral to Relevant Privacy Authority: If a client does not cure an issue and is terminated, TRUSTe may refer the issue to the appropriate public authority or enforcement agency. 19 TRUSTe s referral to a privacy enforcement authority will also be contingent on whether or not the actions of the client rise to a level which would trigger jurisdiction by the privacy enforcement authority. TRUSTe does not refer clients to privacy enforcement authorities where such authority would be unable to take action against the referred client. Response to Requests from Enforcement Entities: TRUSTe has indicated that where possible, it will respond to requests from enforcement authorities in APEC economies that reasonably relate to the CBPR-related activities of TRUSTe. 19 In making a determination to refer, TRUSTe will evaluate factors such as whether the violation was egregious and intentional, or whether impact was de minimis. 14

17 III. CASE NOTES AND STATISTICS Will the Applicant provide relevant information on case notes and statistics as outlined in Annexes D and E of the Accountability Agent Application for APEC Recognition? Recommendation: The JOP is satisfied that TRUSTe meets the Case Notes and Statistics requirements as stipulated in Annexes D and F of the Accountability Agent Application for APEC Recognition. Discussion The Accountability Agent Recognition Criteria require applicants to attest that they have a process for releasing, in anonymised form, case notes on a selection of resolved complaints illustrating typical or significant interpretations and notable outcomes. TRUSTe has agreed to make use of the case note template in Annex D of the Accountability Agent Application for APEC Recognition to annually send anonymised case notes to APEC member Economies as a condition of their recognition. In addition to case notes, APEC Member Economies have identified complaint statistics as a valuable part of a transparent and accountable complaints handling system that can help paint a picture of how the CBPR program is operating and will promote understanding and confidence in the system. Annex E of the Accountability Agent Application for Recognition contains the minimum elements APEC member Economies determined are necessary to realize these benefits. These elements include: Number of complaints received during the year with a comment by the Accountability Agent on the significance of the number. Complaints processed during the year broken down by the outcome. When the Accountability Agent has made findings upholding complaints, further statistical information should be given about the outcomes and any subsequent enforcement action. Comment on the significance of the complaints outcomes. Statistics should be provided as to the type of complaints, including the subject matter of the complaint and characterization of the complainants and the respondents and comment on the significance of the reported figures. An indication as to any quality measures used in relation to the particular CBPR program. In fulfillment of this requirement, TRUSTe submitted its annual Transparency Report for consideration. 20 This annual report provides information on its certification programs, processes, and statistics on the number and types of complaints received during the previous calendar year. TRUSTe has agreed to forward this information to APEC Member Economies on an annual basis as a condition of its recognition. [NOTE: It was originally proposed that these case notes and 20 Available at 15

18 statistics be drawn from all TRUSTe-certified companies and not be limited to those companies that have received CBPR certification. As part of the consultation process, Member Economies requested that case notes and statistics be drawn exclusively from those companies that have received CBPR certification. Pursuant to the JOP s consultative process, the JOP conveyed this opinion to TRUSTe. TRUSTe agrees to provide case notes and statistics exclusively from its pool of CBPR-certified companies. This information will be provided to APEC member Economies and made publically available on an annual basis in the form of its annual Transparency Report and any additional information required to fulfill both the case notes and statistics requirements as outlined in Annexes D and E of the Accountability Agent Application for APEC Recognition.] 16

19 SIGNATURE AND CONTACT INFORMATION By signing this document, the signing party and agrees to the findings of the Joint Oversight Panel contained herein and attests to the truth of the information provided to the Joint Oversight Panel pursuant to the Application for APEC Recognition. [Signature of person who has authority to commit party to the agreement] [Typed name]: Tim Sullivan [Date]: 19 June 2013 [Typed title]: Chief Financial Officer [Typed name of organization]: TRUSTe [Address of organization]: 835 Market Street Suite 800, San Francisco, CA USA [ address]: [Telephone number]: (415) APEC recognition is limited to one year from the date of recognition. Each year one month prior to the anniversary of the date of recognition, the Accountability Agent must resubmit this form and any associated documentation to the appropriate government agency or public authority or as soon as practicable in the event of a material change (e.g. ownership, structure, policies). NOTE: Failure to comply with any of the requirements outlined in this document may result in appropriate sanctions under applicable domestic law. 17